Install Proftpd
Update your packages repository list and install proftpd server
apt-get update && apt-get -y install proftpd openssl
During the proftpd installation, choose standalone mode.
Then edit proftpd configuration file :
nano /etc/proftpd/proftpd.conf
And remove the # at the beginning of the following lines
DefaultRoot ~
RequireValidShell off
Because the most part of our ftp clients prefer to use passive connections, you need to uncommand the line beginning with #PassivePorts and specify passive ports range you want to use :
PassivePorts 49000 50000
In this example, we will use ports 49000 to 50000
This way, we can allow incoming connections on this ports range with UFW :
ufw allow 49000:50000/tcp
Restart proftpd server to apply the configuration
service proftpd restart
Create the SSL Certificate
At first, we have to create a folder to store ou SSL certificate. In our example, we will use /etc/proftpd/ssl :
mkdir /etc/proftpd/ssl
Then, we can generate the certificate with openssl :
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
The process will look like :
root@vps~# openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
Generating a 2048 bit RSA private key
.................+++
..............+++
writing new private key to '/etc/proftpd/ssl/proftpd.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:-
Locality Name (eg, city) []: Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]: VirtuBox
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:server.virtubox.net
Email Address []:admin@virtubox.net
Secure the generated certificate :
chmod 600 /etc/proftpd/ssl/proftpd.*
Enable TLS with Proftpd
Edit /etc/proftpd/proftpd.conf another time, and to uncomment the line :
Include /etc/proftpd/tls.conf
Then edit the file /etc/proftpd/tls.conf and make it looks like :
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
TLSRequired off
RequireValidShell no
</IfModule>
To apply the new configuration, restart proftpd service :
service proftpd restart
Add a new ftp user
To add a user, it require to define his home folder, which is the website folder you want to use, and to include our ftp user in group www-data. Just replace the folder and your-ftp-user in the following command
adduser --home /var/www/votredomaine.tld/ --shell /bin/false --ingroup www-data your-ftp-user
The last step is to add group permissions on your website folder
chmod -R g+rw /var/www/domainname
You can now login with your favorite ftp client, and your new user will only be able to access to his home folder.